SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-01-22 09:14:24 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Move nspawn containers into nspawn directory

Browse source
This commit is contained in:
SebastianStork 2024-09-16 20:41:43 +02:00
parent be488a91a7
commit 5b1fc56176
14 changed files with 2 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

59
hosts/stratus/containers/nspawn/forgejo/backup.nix Normal file
View file

@ -0,0 +1,59 @@
{
config,
pkgs,
lib,
dataDir,
...
}:
{
systemd.tmpfiles.rules = [ "d ${dataDir}/backup 750 forgejo forgejo -" ];
security.polkit = {
enable = true;
extraConfig = ''
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units" &&
action.lookup("unit") == "forgejo.service" &&
subject.user == "forgejo") {
return polkit.Result.YES;
}
});
'';
};
myConfig.resticBackup.forgejo = {
enable = true;
user = config.users.users.forgejo.name;
healthchecks.enable = true;
extraConfig = {
backupPrepareCommand = ''
${lib.getExe' pkgs.systemd "systemctl"} stop forgejo.service
${lib.getExe' config.services.postgresql.package "pg_dump"} forgejo --format=custom --file=${dataDir}/backup/db.dump
'';
backupCleanupCommand = ''
${lib.getExe' pkgs.systemd "systemctl"} start forgejo.service
'';
paths = [
"${dataDir}/home/custom"
"${dataDir}/home/data"
"${dataDir}/home/repositories"
"${dataDir}/home/.ssh"
"${dataDir}/backup"
];
extraBackupArgs = [ "--exclude='${dataDir}/home/custom/conf/app.ini'" ];
};
};
environment.systemPackages = [
(pkgs.writeShellApplication {
name = "forgejo-restore";
text = ''
systemctl stop forgejo.service
sudo -u forgejo restic-forgejo restore --target / latest
sudo -u forgejo pg_restore --clean --if-exists --dbname forgejo ${dataDir}/backup/db.dump
systemctl start forgejo.service
'';
})
];
}

46
hosts/stratus/containers/nspawn/forgejo/default.nix Normal file
View file

@ -0,0 +1,46 @@
{
containers.forgejo.config =
{
config,
lib,
dataDir,
...
}:
{
imports = [ ./backup.nix ];
sops.secrets."forgejo-admin-password" = {
owner = config.users.users.forgejo.name;
inherit (config.users.users.forgejo) group;
};
systemd.tmpfiles.rules = [
"d ${dataDir}/home 750 forgejo forgejo -"
"d ${dataDir}/postgresql 700 postgres postgres -"
];
services.postgresql.dataDir = "${dataDir}/postgresql";
services.forgejo = {
enable = true;
stateDir = "${dataDir}/home";
lfs.enable = true;
database.type = "postgres";
settings = {
server = {
DOMAIN = config.networking.fqdn;
ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}/";
};
service.DISABLE_REGISTRATION = true;
};
};
systemd.services.forgejo.preStart = ''
create="${lib.getExe config.services.forgejo.package} admin user create"
$create --admin --email "sebastian.stork@pm.me" --username seb --password "$(cat ${config.sops.secrets.forgejo-admin-password.path})" || true
'';
myConfig.tailscale.serve = "3000";
};
}

35
hosts/stratus/containers/nspawn/forgejo/secrets.yaml Normal file
View file

@ -0,0 +1,35 @@
tailscale-auth-key: ENC[AES256_GCM,data:9jqpLTuBWvonEsTuzxxtgOnw4bvjQG49wu6VrxwdnrwI7VmLcTcVzotyU+Vqsmys5dTMR5JtMLkN+OOw6zg=,iv:HM819F8A2W+5oBi+QLaRW//4kPKzmqG4EQicWm9aGKc=,tag:XzFSLI4WNGmgPBiffv4rXQ==,type:str]
forgejo-admin-password: ENC[AES256_GCM,data:l/6pYXwUEsu6dvEXQAhN46dXk08XCk33G1GeoLrm,iv:Z635DD5ca4wZ9vO2VAlo1rzockKL/XC0/GrQPV/59XA=,tag:XZVQS5tOPdBfYAIURfZ5vQ==,type:str]
restic:
environment: ENC[AES256_GCM,data:il37oo0OywyZR+YpculEzkdzDwE0eZ+X21oX2yZ7hDa/91a+bn3Y/HJVpnh0qaxraupoL9OQJeGevI6xW6MSmpjiutofUSPzqg0dbXuw4/lE54y1CZUn1rRNoTeUja8zcyA=,iv:irIAnO7tizrgkdvZLFJGbL5HYgLee1DHDrqsiCJFxSE=,tag:a7hLwMLtmtCZDm7vrdgZJg==,type:str]
password: ENC[AES256_GCM,data:tmzBte5NDAzTfqakXlNn8cctwfWq6xzOzoRJ7cAi,iv:R4wGPjQPV42p+i7lp6Q2LDThv8OKKCO462eOVMnlyO8=,tag:owA+MdJ0pEf+0cuAzHdUwA==,type:str]
healthchecks-ping-key: ENC[AES256_GCM,data:oax0Kk4AYPnjMmZpSuWMvm0+6yPYzQ==,iv:CjrJ8ZdcB4MVzYPmeb2YB8FbEzm159koeaYmzTKo9q8=,tag:fj9Oo16FiX5D9UkkL94cKQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZejdhUzZyQ1RROGZmZUdX
UFR6NlBsbVZDMjJwM3pidi8waWNWVS9id2tnClBxQ3J6N0IwOGZ5eFZFZHU1ZEN3
YUh2c3VUd2xLa3NEdWUzdE1aOUZONFUKLS0tIHpGM1pMeUFQYytoQmdncHJWUHlz
L003dzV4Z0lTRllkVDJlSm16S1crMlUKtW70ZGOCC9iwfQ7kxzx+DT7l2qSub9Bf
VfdlHP1XHXhEw3Don3OLrzwaIzXBbfqGGtpd0rWIoxISqjguBulR9g==
-----END AGE ENCRYPTED FILE-----
- recipient: age12k607dpdjt5dyq0w3hpgyfdyfrrfuutxgra0tgt8qja30er7cupsfps60n
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdVFCOUt0TDdOZnA1c3NZ
UDVJcUNUS3dqVmJMOVIra0tEVEJ5cjVNYnljCkcxMXF2SGJFRDVDeEFFTEh5dUdV
MkEzQXE3TjhHcUJjdXhGSHZyanpVZ1UKLS0tIERlVXNXNjV5OHdyeG5LdCtIVWNG
YzNSUG5HWStBemtRZ0s4NzNOOTZRWDAKJHKjfzIPOQUoizt5SffPP/n4d+hOfGLg
bXsKSa99E5JMxskzYZQGH0G4OLZrJEMzegRW0DsJtEFwj8YORmn6iw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-14T10:12:04Z"
mac: ENC[AES256_GCM,data:6RKzMLVWCI9szPEXyJany873xSwIaWTR8Oi+L2+qIQC5JRpnvKYk8tnECcXJUO/dQehLtixNiofAuiNCbN/SD3tE7sppBfp/wgdfn6uZpl5rE6X3Gbdgj2+9/ANMjD2S+Vd02MSq4WVvGmtFWmYWFWhqeBS6X5slRs5ug6wRktg=,iv:ati1h8fB/iadMiEfNMb3vpiv/DKg5BUdMN3cHLi6Kj4=,tag:n02eCi3sdt8yMOeXB+5kCw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0